fix: stop invalidating Keystone tokens on neutron ArgoCD sync#2060
Open
skrobul wants to merge 3 commits into
Open
fix: stop invalidating Keystone tokens on neutron ArgoCD sync#2060skrobul wants to merge 3 commits into
skrobul wants to merge 3 commits into
Conversation
Avoid invalidating existing Keystone tokens on every sync by probing auth with the candidate password before applying it; only update when authentication fails (password has changed or was never set).
This is to gain ability to modify ks-user jobs.
Same pattern as the keystone-upsert sensor: probe auth with the candidate password before applying it to avoid invalidating Keystone tokens on every sync when the password hasn't changed.
Collaborator
Author
|
Submitted upstream fix: https://review.opendev.org/c/openstack/openstack-helm/+/991058 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
For a while we have been experiencing occasional issues with authentication between Neutron and Undersync. This was traced down to the tokens for service accounts being prematurely invalidated.
Turns out Keystone revokes all of the existing tokens when the password change for a given account is attempted. It does not matter if the password is already set to the exact same value or not. This PR works around that problem by executing password change API call only when the desired password does not authenticate.
Please note this fixes only Neutron where we have seen that problem the most. I am working on a more generic, upstream patch for other components.
related https://rackspace.atlassian.net/browse/PUC-1615